T1565.002 Splunk · SPL

Detect Transmitted Data Manipulation in Splunk

Adversaries may alter data en route to storage or other systems in order to manipulate external outcomes or hide activity, threatening data integrity. Manipulation may occur over network connections or between system processes, including intercepting clipboard contents to replace cryptocurrency addresses (crypto-clipping), modifying financial wire transfer messages such as SWIFT transactions, or altering email content during transit. Real-world examples include APT38 using DYEPACK to manipulate SWIFT messages, LightNeuron modifying Exchange email content in-flight, and commodity banking trojans Melcoz and Metamorfo silently replacing copied wallet addresses. This technique typically requires prolonged access and specialized knowledge of the target transmission mechanism.

MITRE ATT&CK

Tactic
Impact
Technique
T1565 Data Manipulation
Sub-technique
T1565.002 Transmitted Data Manipulation
Canonical reference
https://attack.mitre.org/techniques/T1565/002/

SPL Detection Query

Splunk (SPL)
spl 
index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
| eval DetectionType=null()
| eval RiskScore=0

| eval DetectionType=if(
    EventCode=1
    AND (match(lower(Image), "(powershell\.exe|pwsh\.exe|python[23]?\.exe|wscript\.exe|cscript\.exe)"))
    AND match(lower(CommandLine), "(get-clipboard|set-clipboard|windows\.forms\.clipboard|getclipboarddata|setclipboarddata|openclipboard|clipboard\.paste|clipboard\.copy|pyperclip|win32clipboard)"),
    "ClipboardHijack",
    DetectionType
)
| eval RiskScore=if(DetectionType="ClipboardHijack", 70, RiskScore)

| eval DetectionType=if(
    EventCode=1
    AND match(lower(Image), "netsh\.exe")
    AND match(lower(CommandLine), "portproxy")
    AND match(lower(CommandLine), "(add|set)")
    AND match(lower(CommandLine), "connectaddress"),
    "PortProxy_TrafficRedirection",
    DetectionType
)
| eval RiskScore=if(DetectionType="PortProxy_TrafficRedirection", 80, RiskScore)

| eval DetectionType=if(
    EventCode=8
    AND match(lower(TargetImage), "(chrome\.exe|firefox\.exe|msedge\.exe|outlook\.exe|thunderbird\.exe|iexplore\.exe)")
    AND NOT match(lower(SourceImage), "(chrome\.exe|firefox\.exe|msedge\.exe|outlook\.exe|thunderbird\.exe|iexplore\.exe)"),
    "ProcessInjection_NetworkApp",
    DetectionType
)
| eval RiskScore=if(DetectionType="ProcessInjection_NetworkApp", 90, RiskScore)

| eval DetectionType=if(
    EventCode=13
    AND match(lower(TargetObject), "currentcontrolset\\\\services\\\\.+")
    AND match(Details, "DWORD \(0x00000001\)"),
    "NetworkFilterDriver_NewKernelDriver",
    DetectionType
)
| eval RiskScore=if(DetectionType="NetworkFilterDriver_NewKernelDriver", 85, RiskScore)

| eval DetectionType=if(
    EventCode=1
    AND match(lower(Image), "(arpspoof|ettercap|bettercap|responder|mitmproxy)"),
    "MITMTool_Execution",
    DetectionType
)
| eval RiskScore=if(DetectionType="MITMTool_Execution", 95, RiskScore)

| where isnotnull(DetectionType)
| table _time, host, User, Image, CommandLine, TargetImage, SourceImage, TargetObject, Details, DetectionType, RiskScore
| sort - RiskScore, - _time
high severity medium confidence

Multi-vector SPL detection for T1565.002 using Sysmon operational logs. Detects five attack patterns via sequential eval logic: (1) clipboard hijacking via scripting engines (Event ID 1); (2) netsh portproxy traffic redirection (Event ID 1); (3) remote thread injection into browser/email processes (Event ID 8 — CreateRemoteThread); (4) new kernel driver registration for WFP/NDIS filter setup (Event ID 13 — RegistryValueSet with DWORD 1); and (5) known MITM tool execution (Event ID 1). RiskScore values differentiate severity to assist triage prioritization.

Data Sources

Process: Process CreationProcess: Process ModificationRegistry: Registry Value SetCommand: Command Execution

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives & Tuning

  • Clipboard manager software (Ditto, ClipboardFusion, CopyQ) legitimately monitors clipboard and will trigger the ClipboardHijack pattern
  • Password managers copying credentials to clipboard will match clipboard access patterns in scripting language processes
  • IT administrators using netsh portproxy for legitimate port forwarding in test, staging, or jump-host configurations
  • Endpoint security products installing NDIS filter drivers (CrowdStrike, Palo Alto, Symantec) will trigger the Type=1 kernel driver registry pattern
  • Chromium sandbox processes and GPU helper processes that occasionally create remote threads within the browser process family
  • Network debugging tools such as Wireshark (npcap driver) or WinPcap triggering the kernel driver installation detection
Download portable Sigma rule (.yml)

Other platforms for T1565.002

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1PowerShell Crypto Clipboard Hijacker Simulation

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Get-Clipboard', 'Set-Clipboard', and '-WindowStyle Hidden'. PowerShell ScriptBlock Log Event ID 4104 in Microsoft-Windows-PowerShell/Operational will show the full deobfuscated script including the attacker address. The short-lived process (5 seconds) creates a single process creation event.

  2. Test 2netsh PortProxy Rule Creation for Traffic Redirection

    Expected signal: Sysmon Event ID 1: Process Create with Image=netsh.exe, CommandLine containing 'portproxy', 'add v4tov4', 'listenport=8080', and 'connectaddress=127.0.0.1'. Sysmon Event ID 13 (RegistryValueSet) at HKLM\SYSTEM\CurrentControlSet\Services\PortProxy\v4tov4\tcp\127.0.0.1/8080 with the connectaddress value. Security Event ID 4688 (if command line auditing is enabled via GPO) captures the full netsh invocation.

  3. Test 3Python Clipboard Monitor with Cryptocurrency Address Pattern

    Expected signal: Sysmon Event ID 1: Process Create with Image=python.exe, CommandLine containing 'pyperclip', 'clipboard', and the regex pattern. If pip install fires, a second child process (pip.exe or python.exe -m pip) creates an additional Event ID 1. Sysmon Event ID 3 may capture outbound connection to PyPI if the pip install path is triggered.

  4. Test 4ARP Cache Poisoning with Built-in arp.exe (MITM Precursor)

    Expected signal: Sysmon Event ID 1: Process Create with Image=C:\Windows\System32\arp.exe, CommandLine='arp -s 192.168.1.254 aa-bb-cc-dd-ee-ff'. Security Event ID 4688 (with process command line auditing enabled) captures the arp invocation. No file or registry changes are written. Verify effect with 'arp -a' — the injected static entry shows type 'static' rather than 'dynamic'.

Last updated: 2026-03-12 Research depth: deep
References (11)

Unlock Pro Content

Get the full detection package for T1565.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1565Data Manipulation

Related Sub-techniques

T1565.001Stored Data ManipulationT1565.003Runtime Data Manipulation

Related Techniques

T1565Data ManipulationT1565.001Stored Data ManipulationT1557Adversary-in-the-MiddleT1557.001LLMNR/NBT-NS Poisoning and SMB RelayT1557.002ARP Cache PoisoningT1040Network SniffingT1055Process InjectionT1114.002Remote Email CollectionT1496.001Compute HijackingT1562.004Disable or Modify System Firewall

Same Tactic: Impact

Popular Detections